Limit login attempts

Is there a way to limit login attempts? Using cookies isn't an options due to the fact that a hacker may very well block cookies. ADDT had a great implememtaion of this and wondered how hard it would be in WA?

Cheers

you can do this using the set session value server behavior of cookies toolkit.

1) you will need to initialize the session 0 if it does not exist:
On the server behaviors panel, click the plus button and select WA Cookies Toolkit -> Set Session Value.


Trigger: If Session Variable is not defined
Name: loginCount
Value: 0

2) Incerement the session on login attempt:
On the server behaviors panel, click the plus button and select WA Cookies Toolkit -> Set Session Value.


Trigger: Any Form Post
Name: loginCount
Value: click the lightning bolt, and select the loginCount session. The code added will look like:

<?php echo $_SESSION['loginCount']; ?>

change it to:

<?php echo $_SESSION['loginCount'] +1; ?>

this will add one every time the login form is posted.

3) create a new rule to check the login attempts:
Go to Modify -> Securioty Assist -> Access Rules Manager.

Create new rule:
Name: Max Logins
Conditions: check Allow
Value: Click the lightning bolt and select the loginCount session
Criteria: <
Compare to: 4


4) add the access rule to the login page.
Go to Insert -> WebAssist -> SecurityAssist -> Page Access

select the Max Logins rule.

after the page access rule is applied double check in code view that the session code is before the page access rule code

Hi Jason (or others,)

I am looking to do something similar to this, however, if in this instance if the user exits the browser and comes back they can just start attempting to login again as they will have cleared their session.

Do you have any suggestions as to how to make this more secure? Logging IP address of failed attempts maybe, at least one could track where they are coming from?

I am looking at this from the eyes of an ADDT user - It used to track all this - store failed attempts in the database and lock a user out for an amount of time if they did have too many attempts.

I would also track when a user logged in and from what IP address - this has come handy a number of times when I've tried to track down what user was having an issue with a web application within the secure area.

Thanks for any ideas - or why I don't need to bother is also good. :)

Since the login count is being tracked in the session, it will automatically be cleared when the browser is closed.


if you wanted to track IP, you could set up a table in the database to track failed attempts.


probably set it up so that when the max number of attempts is reached, it updates the table to store the IP address.


use:
<?php echo((isset($_SERVER["REMOTE_ADDR"]))?$_SERVER["REMOTE_ADDR"]:"") ?>

to get the ip.